May 2015 - Linux-audit - Linux-Audit List Archives

How do I get complete list of audit event types

by Satish Chandra Kilaru

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

6 years, 5 months

4
5
0 / 0

[PATCH 0/5] Audit Cross Compile Fixes

by Clayton Shotwell

The following are 5 patches that I have been working on for a while to allow the audit package to cross compile correctly for various targets. This work is all being done to add audit along with SELinux to the Buildroot build system. Most of the changes are minor and only relate to compile time issues with toolchains, such as uClibc, and missing dependencies. See the link below for the Buildroot patch submission. http://buildroot-busybox.2317881.n4.nabble.com/PATCH-v6-00-22-SELinux-Bui... The one major patch enables cross compiling support for the gen_tables.c functionality. Since gen_tables needs to be run on the host rather than the target, I had to add Automake support for handling the host compiler. I based these changes off of a patch set done a couple of years ago (See link below), a similar patch set I and done, while incorporating the feedback received from the community. https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html Any feedback would be greatly appreciated. Clayton Shotwell (5): Enable cross compiling Make zos-remote plugin optional Default ADDR_NO_RANDOMIZE if not found Do not call posix_fallocate() if unavailable Fix header detection when cross compiling audisp/plugins/Makefile.am | 6 +- audisp/plugins/remote/queue.c | 2 + auparse/Makefile.am | 276 ++++++++++++++++++++++++++++-------------- auparse/interpret.c | 4 + configure.ac | 14 ++- lib/Makefile.am | 133 ++++++++++++-------- lib/gen_tables.c | 2 +- m4/ax_prog_cc_for_build.m4 | 125 +++++++++++++++++++ 8 files changed, 420 insertions(+), 142 deletions(-) create mode 100644 m4/ax_prog_cc_for_build.m4 -- 1.9.1

8 years, 10 months

2
8
0 / 0

[PATCH 1/1] Added exe field to audit core dump signal log

by Paul Davies C

Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com> --- kernel/auditsc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..988de72 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current->mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, " pid=%d comm=", current->pid); audit_log_untrustedstring(ab, current->comm); + if (mm) { + down_read(&mm->mmap_sem); + if (mm->exe_file) + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); + up_read(&mm->mmap_sem); + } } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5

8 years, 10 months

5
8
0 / 0

[PATCH 1/1] Obsolete check is now removed.

by Mikhail Klementyev

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From a2e33ce7c9b5ceff2a8b570b570ddd0023ce077f Mon Sep 17 00:00:00 2001 From: Mikhail Klementyev<jollheef(a)riseup.net> Date: Mon, 25 May 2015 23:20:38 +0300 Subject: [PATCH 1/1] Obsolete check is now removed. Signed-off-by: Mikhail Klementyev<jollheef(a)riseup.net> - --- kernel/auditsc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9fb9d1c..ee09794 100644 - --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -599,9 +599,7 @@ static int audit_filter_rules(struct task_struct *tsk, result = match_tree_refs(ctx, rule->tree); break; case AUDIT_LOGINUID: - - result = 0; - - if (ctx) - - result = audit_uid_comparator(tsk->loginuid, f->op, f->uid); + result = audit_uid_comparator(tsk->loginuid, f->op, f->uid); break; case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); - -- 2.0.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVY4cJAAoJEE7XYCHzWN5TQVkQAMYCSkzSlIVA9sTmrZk0bDA1 62pbY22hEFfWN41268hjhhQ/wiuM14LI34oTeCPnqxQIopTt9bnAW9ZwPfgNFG2F T/nSLZVJMwjjs/b1DrAV4fDWYtlIjedm/HhhumFIyOfDkAPIgs2cBcWiGkB6D9ly oi/ccMaTo4c59kfTwCjYKgpY8iPMdm547fR8YVEt+eX+nfJSMbCcrnkBoFoZl4tk RHjKmuTyjJ9U5ht94Rws/xKMYQ+g+I+CV6L1FpzOY9ZVaFLelsOJKiipkXMemwih NCC4qtd6HF/rbd0jFQpzU1QViw7y/ZxcduAmqmr7yg1oxNYqhzt9OIcKlH1QWqrQ eKdPDxd23n+t9yri1cIExb0Cik6ySRR0lRn/IOfSAgaJAZX0r5+Db+LkWYymXgHp D8edl1WvpjkNo+R/GjNvaDM9jKB3Z6FblUlteqMQB9mCnwys3YKcc4ma5aGXbO24 fF28r632nDZrj+knIU171VtEyEjbnzo05bJnIiOW167STKBmbFgHgGTI/yhCHBro wp6kg0ns+WK3tE+BvXhG/iysTAUvAhf/bnMlFaZ8j1GGhEzWGJveDINEIcCzRsoR UncA/96yN4Sqw1Acq5+s9SaD+NMt++Iz1JbYck8rpJlO8zgpxF/6lb9Fz1B9o/LH B20jap46V3UDEjzEp3DS =Puu1 -----END PGP SIGNATURE-----

8 years, 11 months

2
1
0 / 0

[PATCH] kernel:audit - Fix for typo in comment to function audit_log_link_denied().

by Shailendra Verma

Signed-off-by: Shailendra Verma <shailendra.capricorn(a)gmail.com> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 1c13e42..f9e6065 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1904,7 +1904,7 @@ EXPORT_SYMBOL(audit_log_task_info); /** * audit_log_link_denied - report a link restriction denial - * @operation: specific link opreation + * @operation: specific link operation * @link: the path that triggered the restriction */ void audit_log_link_denied(const char *operation, struct path *link) -- 1.7.9.5

8 years, 11 months

2
1
0 / 0

[PATCH] lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type

by Richard Guy Briggs

The LSM_AUDIT_DATA_TASK pid= and comm= labels are duplicates of those at the start of this function with different values. Rename them to their object counterparts opid= and ocomm= to disambiguate. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- security/lsm_audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/lsm_audit.c b/security/lsm_audit.c index b526ddc..3323144 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -282,7 +282,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, pid_t pid = task_pid_nr(tsk); if (pid) { char comm[sizeof(tsk->comm)]; - audit_log_format(ab, " pid=%d comm=", pid); + audit_log_format(ab, " opid=%d ocomm=", pid); audit_log_untrustedstring(ab, memcpy(comm, tsk->comm, sizeof(comm))); } -- 1.7.1

8 years, 11 months

2
1
0 / 0

re: [PATCH V5 0/5] audit by executable name

by Peter Moody

Did this [1] land? I'm guessing no because the next pull request from Eric Paris didn't include it and I don't see it referenced in any of Paul's pull requests. Finally (most tellingly), I don't see anything in Linus' tree. Cheers, peter [1] https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html

8 years, 11 months

3
3
0 / 0

Re: log rendering in real time in audit-viewer

by Arthym Krivo

Hello, I applied this patch [1] and it works well. Don't understand why he stayed without attention? -A.K. [1] https://www.redhat.com/archives/linux-audit/2015-March/msg00018.html

8 years, 11 months

1
0
0 / 0

Excluding files from auditing

by Xavier Lashmar

Hi there, I've configured audit.rules on a server that I administer, to log all file-system activity matching permissions "wa". A few files under these directories are to be excluded. In particular, I am attempting to exclude the logging of actions on files which may not yet exist. For example: A user like "Apache" might try to read and write to a file called "thisfileexists.php" which exists on the FS. I consider this action perfectly valid and do not require it to be logged; instead I create a rule to exclude it, using the system call matching rule "exit,never -F path=..." On the other hand, a user like "Apache" might try to write to a file called "thisfilesdoesnotyetexist.php" which does not yet exist, which I also consider to be a perfectly valid action, and require no log of. This action however, is on a specific file that I know Apache will try to write to, but has not yet been created and may never exist. An example configuration of /etc/audit/audit.rules #### EXCLUDE FALSE POSITIVES #### -a exit,never -F path=/var/www/html/somepath/thisfilesdoesnotexist.php -a exit,never -F path=/var/www/html/somepath/thisfileexists.php #### LOG EVERYTHING ELSE #### -w /var/www/html -p wa -k webserver-writes Essentially the above rule should log all activity, except for the excluded items: /var/www/html/somepath/thisfilesdoesnotexist.php /var/www/html/somepath/thisfileexists.php However, since "thisfiledoesnotexist.php" does not actually exist, it seems that the audit rule does not apply and if the "Apache" user tries to create it, the action gets logged. This is not what I want or expected. The "thisfileexists.php" on the other hand, does exist and the audit rule seem to function and does NOT log write actions. This is what I want and expected. >From the above experiment I deduce that an audit rule to exclude from logging a system-call using "exit,never", will not function if the file it refers to does not exist. Is this correct or did I simply make a mistake? Thank you for any clarification provided, Xavier Lashmar Analyste de Systèmes | Systems Analyst Service étudiants | Student Web Services Service de l'informatique et des communications | Computing and Communications Services. Tél. | Tel. 613-562-5800 (2120)

8 years, 11 months

1
0
0 / 0

auditd and SSHD exported variables

by Guillaume L.

Hello, Is there a way to log with auditd exported variables through ssd ? My servers are used by many users but with the same account. So, I export the SSH_USER variable from our "bastion" (where each user has a specific account). With this configuration I can retrieve the remote login. I use this script in /etc/profile.d/: logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " " -f2` for $USER ($SSH_USER is the variable exported via SSHD) The ultimate goal is to match the following log with the "remote user" (because all users use the uid 1000 to connect to the server): type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59 success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2 ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls" key="auditcmd" type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls" type=CWD msg=audit(1431694892.457:37824): cwd="/root" type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls" inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1431694892.457:37824): item=1 name=(null) inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls" Thank you in advance. Regards, -- Guillaume

8 years, 11 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2015